When people think that student data in K-12 schools is compromised, they tend to imagine things like test scores and grades being shared publicly.
While it is unfortunate that that type of information is released, it is minor compared to other problems that a data breach can cause for students.
“What has surprised people is that students themselves can be valuable targets for financial reasons,” says Doug Levin, co-founder and national director of K12 Security Information eXchange, a nonprofit dedicated to securing K-12 schools. of emerging threats to cybersecurity.
“Students, especially younger ones, have impeccable credit and tax records,” he says, making them an attractive target.
This also makes students especially vulnerable to identity theft crimes that can occur after a school becomes the victim of a successful cyberattack. The value of students' personal data is part of the reason school cyberattacks are becoming more common. In a 2023 survey of school IT leaders, 80% said their school was affected by ransomware attacks in the past year..
School IT leaders have dedicated increased resources and efforts to preventing these attacks with staff training and stricter security requirements, such as two-factor authentication. But the dangers that an attack poses to students and the role that students must play in helping protect school networks are still not always fully appreciated, Levin says.
Why cybercriminals attack student data
In addition to having impeccable credit records, students are at greater risk when their identity is stolen because no one monitors their spending activity.
“They don't have anyone watching their credit records, and as a result, they can end up being abused for years until a student maybe applies for a college loan or tries to rent an apartment or buy a car,” Levin says. “Unfortunately, we have seen cases where first grade students were subject to identity theft as a direct result of a cybersecurity incident at school.”
Multiple ways to compromise student data
Just because a school network requires two-factor authentication for staff doesn't mean your network is safe from hackers. Although student accounts do not have the same rights and privileges as teacher and staff login accounts, there have been cases where educators have unintentionally shared sensitive student data in environments where students can gain access, which can pose significant risks, Levin says.
“If a threat actor was able to guess or otherwise obtain the login information for a student account, they can then access and exfiltrate sensitive data, and abuse that information or attempt to extort the school district to prevent it from being revealed.” . abused,” she says.
Another way student data can be compromised is through scams that target students directly.
“One of the most common ones we've seen have been fake job offers,” Levin says. These often take the form of a great job offer that is dependent on the student providing various forms of personal information for processing purposes. When students fall for this, their personal data can be compromised.
How students can help protect their own data
“People have begun to realize that educating staff about phishing scams and increasing their awareness of cybersecurity is important because the way many of these attacks against school systems are successful is through phishing employees ” says Levin. “But students themselves are potentially a vector for these types of attacks against school districts and they too are at risk, and this underscores that they themselves must be an audience for these trainings.” He adds that this training should be done at an early age for students, as children are coming online earlier and earlier.
Levin also makes clear that he does not believe that protecting student data should be the sole responsibility of schools. edtech companies should provide more data protection for all student-facing products, he says, “so we don't need more expensive licenses to get the basic security features we need to protect our school communities.”
In general, education also needs more funding to address cybersecurity and student data privacy issues.
“Schools need more resources, support and help from the state government and also the federal government,” Levin says. “It's important for people to understand that this is not an individual school system problem. “This is a sector-wide issue and we really need more support and help from the government.”
